As More Services Move To The 'Cloud' What Does It Mean For IT Security?

from the an-upcoming-webinar dept

While the term "the cloud" is still pretty loosely defined, there's no doubt that more and more services are being offered over the internet, and many of those are enterprise-type offerings. For example, lots of well known companies are using Google docs, and Salesforce.com has really become quite the standard in many, many places for any type of CRM/Salesforce automation. But what does that mean for IT folks, who are used to having full control over the technology being used by employees? How can they make sure that the services that employees are using are secure and protected? And, for companies building their own online services that they hope will be used in enterprises around the globe, how should they best prepare to build a system that meets the security requirements of in-house IT staff? On top of that, beyond traditional "technology" security, there are serious legal security questions as well. How protected, legally speaking, is the data stored in the cloud? Is it covered under different laws? And do the answers to these questions depend on if you're "webifying" legacy systems as compared to building entirely new systems?

Well, we're hoping to answer a bunch of these questions with a new webinar that we're putting on next Tuesday, May 11th at 9am PT/noon ET (register here), as a part of our ongoing IT Innovation series -- sponsored by Oracle and Intel. I'll be moderating the discussion, and the discussion will be led by two of the most knowledgeable folks I know on this topic: Jake Kaldenbaugh of CloudStrategies, and formerly an exec at NEC, where he drove early strategic efforts focusing on virtualization and cloud computing, and Sam Quigley of Emerose, a leading expert on cloud security, who previously was a founding member of EDS's security and privacy services group, an open source developer at security appliance vendor Astaro, the sole security person at Xign (which became JP Morgan Treasury Services) and Vice President of security and operations at Wesabe, the online financial startup.

The webinar will consist of a brief presentation, followed by discussion -- and we're hoping to make it as interactive as possible, so come ready with questions. If you'd like to attend, please register now!

Separately, it's worth noting that we recently refreshed the IT Innovation website, to reflect that it's sponsored by Oracle and Intel (Oracle taking over from Sun following the acquisition), and we've also refreshed the resource center with a series of new whitepapers, including (but not limited to):

Also, while there is plenty of overlap in posts between Techdirt's main site and IT Innovation, some posts are reserved just for folks following IT Innovation. So, if you're not following that site, you may have missed stories questioning what comes after silicon as we (perhaps) approach the limits of Moore's law and a discussion on the popularity of certain programming languages.

perhaps this stuff would be better left on the other site. i cannot picture a bunch of teenagers being really interested in business computing. perhaps just a good way to pump up views and make it look like the advertisers get something.

Re: Re: Re:

I'll answer this for you right now

1. There is no business outside of a cloud provider itself that should store critical client data in the cloud.

2. The cloud does not provide any level of guarantee (that is financially backed) that your data is secure. They should *all* provide money where their mouth is: secure your data or pay a fine per resource stolen/accessed. But none do. This is telling.

3. If you do not maintain physical control of your data, access to data, then your data is not secure; period. Can the cloud allow you to walk to the machine and pull the HDD? Then it isn't your data.

4. Look at the Google Gaia breach. For all we know Google and 20+ companies out there are hacked and someone else is running root on them. Let me emphasize this: Google and 24 anonymous companies experienced breaches and do not tell you the extent. If a company that takes security seriously like google and holds your data gets hacked, you can bet your ass small cloud vendors have as well.
I barely trust Cisco router IOS's, let alone the cloud on the other side.

The cloud is a joke for any business or person that values their data staying secure.

Re:

Corrected version, IMHO:

"If you have something that you don't want anyone to know, maybe you shouldn't be using Google or Facebook."

-- Eric Schmidt, corrected.

The Cloud offers the potential of much more robust information security than individually managed PCs and local enterprise networks. Don't confuse the Cloud as a platform with current Cloud applications. That's like saying PC security is shitty because IE6 is full of security holes.

Re: Re: Re: Re:

Re: Re: Re: Re:

Link please...

As per usual, the claims of the infamous anonymous commenter are wrong. Our two largest userbases are 18-34 and 35-49. The 13-18 part of our readership is actually well *below* standard, representing less than 10% of our readership.

The Cloud offers the potential of much more robust information security than individually managed PCs and local enterprise networks. Don't confuse the Cloud as a platform with current Cloud applications. That's like saying PC security is shitty because IE6 is full of security holes.

But only the potential - web services are often managed by the cheapest staff a company can find to do it - not always, but how would you know?

I certainly wouldn't trust anything 'important' to a third party, personally.

It's true if you really need to secure something - it's best if it never comes in contact with the internet.

That's what really amazes me when it comes to Government/Industry and the so called 'critical systems' and their supposed 'vulnerabilities' - they shouldn't put stuff like that on the web at all.

Where I work, all the crucial process control machines are on their own isolated networks - if you want to hack them, you'll need to be at the site physically. Still intrinsically more secure than something on the web that way, even if the password is 12345 - because physical presence is a requirement to even get to a password prompt.

Re: I'll answer this for you right now

Your answer is wrong. I'm betting you're a company IT geek because with IT guys, it's all about a false sense of control, not about what the technology can offer.

IT departments fought like hell against cell phones and smart phones. When employees purchased their own and started expensing them, IT departments then were forced to incorporate them, add security policies, negotiate corporate deals, etc. VERY FEW IT departments ever said "here is some cool new technology, let's use it!"

You talk about Google as though Google is the cloud. It isn't. Google is a search company that scatters mediocre apps to the wind to see what happens. They are not a benchmark of quality for ANYTHING except search and search-based ads. How about the Telecom companies? They are all Cloud-based. They now offer SIX 9s availability for regulated services because if they don't, they have to report it to the FCC. But they move slowly and don't 'get' todays business needs. My point is that the Cloud is a platform that offers much higher security to an enterprise than rogue PCs and local Enterprise servers... but you have to implement wisely, according to what your business requires, which few companies do.

Re:

But only the potential - web services are often managed by the cheapest staff a company can find to do it - not always, but how would you know?

I won't argue this. But that means the company is the weak link in the chain, not the Cloud. These same underpaid employees have even more opportunity to compromise and abscond with data that is store locally.

I certainly wouldn't trust anything 'important' to a third party, personally.

You just said you wouldn't trust your lowest-paid employees, not you say you wouldn't trust a third party that lives or dies based on being secure. Which is it?

It's true if you really need to secure something - it's best if it never comes in contact with the internet.

This is a huge myth. Network-level security, authentication, and encryption offers a more robust security solution than local versions. I'm not saying that the available services deliver that, I'm saying that the Cloud offers that potential. Don't confuse the Cloud with the available services.

Re:

Re: Re:

"The Cloud offers the potential of much more robust information security than individually managed PCs and local enterprise networks."

This may be true for the average intarweb user ...
however, there are many out there with sophistication which far exceeds the simplistic security employed by cloud computing offers. I will keep my computing needs local, thank you.

Re: Re: I'll answer this for you right now

Re: Re:

Ok, stop with the sales pitch already.
Sheesh.
Anyone with an ounce of pessimism knows that the terms and conditions upon your "cloud" data will change without notice and your data will be available to the highest bidder. Please stop with the BS
thank You, The Internet

Re: Re: I'll answer this for you right now

Yep I'm an IT geek and it's ACCESS to that data I'm concerned about.

I was the first person in the company with a smartphone, and we immediately approved it for wide distribution with heavy encryption on the device and wirelessly, and remote wipe, no texting or other way of getting the data through the phone other than through our internal systems. Smartphones aren't a critical holding place where work gets done, at least yet.

Telecoms(nonwireless, mind you) can offer 6 9's because the technology has been around over 100 years. Note that telecoms break when there are disasters, like the SFO earthquake, New Orleans, NY Terrorism. All three of those areas experienced outages of one type or another communication-wise.

Google and Amazon are the premier players in cloud-based services, that much isn't under contention, and neither have had 5 9's on critical cloud platforms since inception. Neither backs it up with $ either, just refunds. I know companies with frequent outages on their Google Apps Domain, but those outages simply aren't reported by Google on their dashboard.
Put your money where your mouth is.

Re: Re:

Network-level security, authentication, and encryption offers a more robust security solution than local versions. I'm not saying that the available services deliver that, I'm saying that the Cloud offers that potential. Don't confuse the Cloud with the available services.

How can you say such a thing when there are hundreds of vulnerabilities discovered every month in said systems? DNS alone, SSL cert-signing alone, both have serious deficiencies that have not been addressed internet-wide, let alone locally.

Look at IBM: They don't connect anything critical to the Internet, they do as the previous poster suggested and you must be on a specific network to access it and have NO INTERNET CAPACITY to do so. They have several "ringed" networks like this that restrict what can and cannot access critical data. I don't see them changing this just because cloud computing tells them to.

Re: Re:

Network-level security, authentication, and encryption offers a more robust security solution than local versions. I'm not saying that the available services deliver that, I'm saying that the Cloud offers that potential. Don't confuse the Cloud with the available services.

How can you say such a thing when there are hundreds of vulnerabilities discovered every month in said systems? DNS alone, SSL cert-signing alone, both have serious deficiencies that have not been addressed internet-wide, let alone locally.

Look at IBM: They don't connect anything critical to the Internet, they do as the previous poster suggested and you must be on a specific network to access it and have NO INTERNET CAPACITY to do so. They have several "ringed" networks like this that restrict what can and cannot access critical data. I don't see them changing this just because cloud computing tells them to.

Re: Re: Re: Re: Re: Re:

Perhaps. And if that's the case then the data would be even MORE in the direction we claimed. But, as I said, we don't rely on that data. I just used it because someone wanted public data. We also collect our own data, and it actually reflects Quantcast's as well.

protip: I block it across all sites, and you have no fucking idea what age I am.

Good for you.

I would take that data with a very large grain of salt, Mike.

Did you not read the comment where I pointed out that we had our own data as well?

A long way to go...

With the increase in cloud based services, security is more important than ever. I read a lot about virtualization, particularly about cloud computing, and I can tell you that virtual security is a major issue.